What is a "Symantec-internal testing process" that leads to Google certs being leaked outside of Symantec? Is some engineer poking around and just used "google.com" as an example? Seems like a pretty serious wtf moment. If I was Google I would be pissed.
One has to wonder how much of these CA shenanigans have been going on before these news sytems were put in place systems to catch the rogue certificates.<p>It would stand to reason that people are more wary of it now that there is a high risk of getting caught.
After reading DrDuh's guide to install yosemite, I thought a bit more about the ~200+ trusted CAs on my computer. I removed about ~50 using various heuristics, mostly arbitrary stuff like removing goverment agencies, and international CAs that I was skeptical of or otherwise assumed I would not need.<p>To get to my question though, how many CAs does one need to trust for the safest browsing experience? What CAs should be trusted and how can they be evaluated? How many-ish are you guys trusting?
<a href="https://api.ctwatch.net/domain/ycombinator.com" rel="nofollow">https://api.ctwatch.net/domain/ycombinator.com</a> is an RSS feed of all issued certificates for ycombinator.com and its subdomains.<p>Feel free to use that to check your own site's certificates!<p>(It's possible to directly query the multiple Certificate Transparency log servers for your site's certs, but non-trivial, hence why I implemented the above functionality.)<p>Code: <a href="https://github.com/certificate-transparency-watch/" rel="nofollow">https://github.com/certificate-transparency-watch/</a>
That's the problem with TLS trust: All it does is tell a browser that a CA trusts the certificate. The process to verify site ownership varies and is error prone.